[Git][security-tracker-team/security-tracker][master] bookworm/trixie triage

Wed Sep 10 14:12:05 BST 2025


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
f405fa9a by Moritz Muehlenhoff at 2025-09-10T15:11:54+02:00
bookworm/trixie triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -21,6 +21,8 @@ CVE-2025-9994 (The Amp\u2019ed RF BT-AP 111 Bluetooth access point's HTTP admin
 	NOT-FOR-US: Amped RF
 CVE-2025-9951 (A heap-buffer-overflow write exists in jpeg2000dec FFmpeg which allows ...)
 	- ffmpeg <unfixed>
+	[trixie] - ffmpeg <postponed> (Minor issue, wait until it's fixed in the 7.1 branch)
+	[bullseye] - ffmpeg <postponed> (Minor issue, wait until it's fixed in the 4.3 branch)
 	NOTE: https://github.com/google/security-research/security/advisories/GHSA-39q3-f8jq-v6mg
 CVE-2025-9872 (Insufficient filename validation in Ivanti Endpoint Manager before 202 ...)
 	NOT-FOR-US: Ivanti
@@ -44,6 +46,8 @@ CVE-2025-8711 (CSRF in Ivanti Connect Secure before 22.7R2.9 or 22.8R2, Ivanti P
 	NOT-FOR-US: Ivanti
 CVE-2025-8277 (A flaw was found in libssh's handling of key exchange (KEX) processes  ...)
 	- libssh <unfixed>
+	[trixie] - libssh <no-dsa> (Minor issue)
+	[bookworm] - libssh <no-dsa> (Minor issue)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2383888
 	NOTE: https://www.libssh.org/security/advisories/CVE-2025-8277.txt
 CVE-2025-8008 (A security issue exists in the protected mode of EN4TR devices, where  ...)
@@ -1059,7 +1063,9 @@ CVE-2025-9709 (On-Chip Debug and Test Interface With Improper Access Control and
 CVE-2025-9566 (There's a vulnerability in podman where an attacker may use the kube p ...)
 	[experimental] - podman 5.6.1+ds1-1
 	- podman <unfixed> (bug #1114526)
+	[trixie] - podman <no-dsa> (Minor issue)
 	- libpod <removed>
+	[bookworm] - libpod <no-dsa> (Minor issue)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2393152
 	NOTE: Fixed by: https://github.com/containers/podman/commit/aaf8b9dc0cfec76444f7eda60660347646b90a13 (v5.6.1)
 CVE-2025-9057 (The Biagiotti Core plugin for WordPress is vulnerable to Stored Cross- ...)
@@ -3049,8 +3055,12 @@ CVE-2025-9769 (A security flaw has been discovered in D-Link DI-7400G+ 19.12.25A
 	NOT-FOR-US: D-Link
 CVE-2025-9375 (XML Injection vulnerability in xmltodict allows Input Data Manipulatio ...)
 	- python-xmltodict <unfixed> (bug #1113825)
+	[trixie] - python-xmltodict <no-dsa> (Minor issue)
+	[bookworm] - python-xmltodict <no-dsa> (Minor issue)
 	NOTE: https://github.com/martinblech/xmltodict/issues/377
 	NOTE: https://fluidattacks.com/advisories/mono
+	NOTE: https://github.com/martinblech/xmltodict/commit/ecd456ab88d379514b116ef9293318b74e5ed3ee (v0.15.0)
+	NOTE: https://github.com/martinblech/xmltodict/commit/f98c90f071228ed73df997807298e1df4f790c33 (v0.15.1)
 CVE-2025-57799 (StreamVault is a multi-platform video parsing and downloading tool. Pr ...)
 	NOT-FOR-US: StreamVault
 CVE-2025-55007 (Knowage is an open source analytics and business intelligence suite. P ...)
@@ -5350,11 +5360,15 @@ CVE-2025-55398 (An issue was discovered in mouse07410 asn1c thru 0.9.29 (2025-03
 	NOT-FOR-US: mouse07410 asn1c
 CVE-2025-54813 (Improper Output Neutralization for Logs vulnerability in Apache Log4cx ...)
 	- log4cxx <unfixed> (bug #1111881)
+	[trixie] - log4cxx <no-dsa> (Minor issue)
+	[bookworm] - log4cxx <no-dsa> (Minor issue)
 	NOTE: https://logging.apache.org/security.html#CVE-2025-54813
 	NOTE: https://github.com/apache/logging-log4cxx/pull/512
 	NOTE: Fixed by: https://github.com/apache/logging-log4cxx/commit/a799c934545311ff4179c68e16bbeb02b5c66348 (rel/v1.5.0, v1.5.0-RC1)
 CVE-2025-54812 (Improper Output Neutralization for Logs vulnerability in Apache Log4cx ...)
 	- log4cxx <unfixed> (bug #1111879)
+	[trixie] - log4cxx <no-dsa> (Minor issue)
+	[bookworm] - log4cxx <no-dsa> (Minor issue)
 	NOTE: https://logging.apache.org/security.html#CVE-2025-54812
 	NOTE: https://github.com/apache/logging-log4cxx/pull/509
 	NOTE: https://github.com/apache/logging-log4cxx/commit/1c599de956ae9eedd8b5e3f744bfb867c39e8bba (rel/v1.5.0, rv1.5.0-RC1)
@@ -27214,6 +27228,8 @@ CVE-2024-44906 (uptrace pgdriver v1.2.1 was discovered to contain a SQL injectio
 	NOT-FOR-US: uptrace pgdriver
 CVE-2024-44905 (go-pg pg v10.13.0 was discovered to contain a SQL injection vulnerabil ...)
 	- golang-gopkg-pg.v5 <unfixed> (bug #1111939)
+	[trixie] - golang-gopkg-pg.v5 <no-dsa> (Minor issue)
+	[bookworm] - golang-gopkg-pg.v5 <no-dsa> (Minor issue)
 	NOTE: https://github.com/advisories/GHSA-6xp3-p59p-q4fj
 	NOTE: Fixed by: https://github.com/go-pg/pg/commit/eff50a43724e52347559687a6945c116afbb41c1 (v10.15.0)
 CVE-2023-45256 (Multiple SQL injection vulnerabilities in the EuroInformation Monetico ...)
@@ -30987,7 +31003,9 @@ CVE-2025-48942 (vLLM is an inference and serving engine for large language model
 	- vllm <itp> (bug #1095237)
 CVE-2025-48938 (go-gh is a collection of Go modules to make authoring GitHub CLI exten ...)
 	- golang-github-cli-go-gh <unfixed> (bug #1107084)
+	[bookworm] - golang-github-cli-go-gh <no-dsa> (Minor issue)
 	- golang-github-cli-go-gh-v2 <unfixed> (bug #1107083)
+	[trixie] - golang-github-cli-go-gh-v2 <no-dsa> (Minor issue)
 	NOTE: https://github.com/cli/go-gh/security/advisories/GHSA-g9f5-x53j-h563
 	NOTE: Fixed by: https://github.com/cli/go-gh/commit/df956a6624bc1210543873062ce0905357be1299 (v2.12.1)
 	NOTE: Fixed by: https://github.com/cli/go-gh/commit/0f8a22fe3a4b3d418268dfef57bcee15330f5b15 (v2.12.1)
@@ -43138,6 +43156,7 @@ CVE-2024-58250 (The passprompt plugin in pppd in ppp before 2.5.2 mishandles pri
 	NOTE: configurations)
 CVE-2025-3839 [Require user interaction before opening URL in external application]
 	- epiphany-browser 48.1-1
+	[bookworm] - epiphany-browser <no-dsa> (Minor issue)
 	NOTE: https://gitlab.gnome.org/GNOME/epiphany/-/issues/2641
 	NOTE: Fixed by: https://gitlab.gnome.org/GNOME/epiphany/-/commit/324e25caee659bce43ff5c614d105f64899dfb7f (48.1)
 	NOTE: Fixed by: https://gitlab.gnome.org/GNOME/epiphany/-/commit/9f80e7e80b75212627790d74041d46eedb6e321e (47.5)
@@ -55854,6 +55873,7 @@ CVE-2025-2489 (Insecure information storage vulnerability in NTFS Tools version
 	NOT-FOR-US: NTFS Tools
 CVE-2025-2487 (A flaw was found in the 389-ds-base LDAP Server. This issue occurs whe ...)
 	- 389-ds-base 3.1.2+dfsg1-1 (bug #1100994)
+	[bookworm] - 389-ds-base <no-dsa> (Minor issue)
 	[bullseye] - 389-ds-base <postponed> (need priviligied user; DoS)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2353071
 CVE-2025-2450 (NI Vision Builder AI VBAI File Processing Missing Warning Remote Code  ...)
@@ -89507,6 +89527,7 @@ CVE-2024-53860 (sp-php-email-handler is a PHP package for handling contact form
 	NOT-FOR-US: sp-php-email-handler
 CVE-2024-53859 (go-gh is a Go module for interacting with the `gh` utility and the Git ...)
 	- golang-github-cli-go-gh-v2 <unfixed> (bug #1088815)
+	[trixie] - golang-github-cli-go-gh-v2 <no-dsa> (Minor issue)
 	NOTE: https://github.com/cli/go-gh/security/advisories/GHSA-55v3-xh23-96gh
 CVE-2024-53858 (The gh cli is GitHub\u2019s official command line tool. A security vul ...)
 	- gh 2.46.0-3 (bug #1088808)


=====================================
data/dsa-needed.txt
=====================================
@@ -17,6 +17,8 @@ amd64-microcode (carnil)
 --
 ark/oldstable (jmm)
 --
+cjson (jmm)
+--
 chromium (dilinger)
 --
 frr/oldstable



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f405fa9a6db01f6c5d61222fdca9b5735092c927

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f405fa9a6db01f6c5d61222fdca9b5735092c927
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20250910/e94b1385/attachment.htm>
